[Snort-sigs] Help to configure SNORT

Matt Kettler mkettler at ...189...
Tue Dec 23 13:15:02 EST 2003

At 02:07 PM 12/23/2003, Lorenzo Rossi wrote:
>Hi, I'm new to snort.

Fair enough. As a new user, may I point you in the direction of the 
snort-users mailing list?

snort-users is for general discussion and questions about usage, 
configuration, etc.

snort-sigs is for signature development work. Analysis of attacks, 
documentation writing, etc.

>Now I can see lots of lines like this:
>fragroute) detection

You should be able to get rid of these by configuring spp_stream4 with 

This is also the default setting in the default snort.conf, so I'm not sure 
why you've been getting these alerts.

False positives is part of the drawbacks of having the evasion alerts on. 
It detects "strange" behaviors, but there's a lot of broken tcp/ip stacks 
that are commonly used that look "strange"..  

More information about the Snort-sigs mailing list